Memory corruption
对于系统中出现随机、不可解释的异常指针访问或数据错误导致的异常,一般要考虑是内存使用上出现了UAF(Use-After-Free),OOB(Out-of-Bounds)。
本章所指的”Memory corruption”特指Linux kernel侧出现的”Memory corruption”,子系统间的内存踩踏请参考 Firewall 。
通用方法
当怀疑系统有OOB、UAF类问题时,打开CONFIG_KASAN开关,进行复现。
当出现memory corruption问题时,系统默认会BUG_ON。
检查panic log信息,对于slub、stack、buddy page、全局变量的UAF和OOB均有关键信息指出,基本通过log能够解决所有问题。
典型问题
[ 6.262525] BUG: KASAN: global-out-of-bounds in __of_match_node+0x70/0xb8
[ 6.263391] Read of size 1 at addr ffffff9008d153a8 by task swapper/0/1
[ 6.264231]
[ 6.264439] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 6.1.94-rt33-gac7c113a9bab #2
[ 6.265488] Hardware name: Horizon Robotics J6E Evaluation Module Board (DT)
[ 6.266362] Call trace:
[ 6.266694] [] dump_backtrace+0x0/0x538
[ 6.267391] [] show_stack+0x14/0x20
[ 6.268048] [] dump_stack+0xa4/0xc8
[ 6.268703] [] print_address_description+0x1e4/0x250
[ 6.269539] [] kasan_report+0x2cc/0x300
[ 6.270240] [] __asan_load1+0x44/0x50
[ 6.270912] [] __of_match_node+0x70/0xb8
[ 6.271617] [] of_match_node+0x38/0x60
[ 6.272301] [] of_match_device+0x3c/0x50
[ 6.273012] [] platform_match+0x64/0x118
[ 6.273719] [] __driver_attach+0x40/0x140
[ 6.274435] [] bus_for_each_dev+0xcc/0x140
[ 6.275164] [] driver_attach+0x30/0x40
[ 6.275848] [] bus_add_driver+0x220/0x388
[ 6.276566] [] driver_register+0x108/0x170
[ 6.277295] [] __platform_driver_register+0x7c/0x88
[ 6.278122] [] j6_wdt_driver_init+0x34/0x4c
[ 6.278861] [] do_one_initcall+0xe4/0x1b8
[ 6.279581] [] kernel_init_freeable+0x1ac/0x260
[ 6.280363] [] kernel_init+0x10/0x118
[ 6.281036] [] ret_from_fork+0x10/0x18
[ 6.281713]
[ 6.281911] The buggy address belongs to the variable:
[ 6.282570] 0xffffff9008d153a8
[ 6.282974]
[ 6.283173] Memory state around the buggy address:
[ 6.283794] ffffff9008d15280: fa fa fa fa 07 fa fa fa fa fa fa fa 00 00 00 00
[ 6.284715] ffffff9008d15300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 6.285636] >ffffff9008d15380: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00
[ 6.286552] ^
[ 6.287137] ffffff9008d15400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 6.288057] ffffff9008d15480: 00 00 00 fa fa fa fa fa 00 00 fa fa fa fa fa fa
[ 6.288974] ==================================================================
[ 6.289890] Disabling lock debugging due to kernel taint
错误类型global-out-of-bounds,全局变量越界访问,越界读取访问一个字节。
[ 6.263391] Read of size 1 at addr ffffff9008d153a8 by task swapper/0/1
[ 6.264231]
[ 6.264439] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 6.1.94-rt33-gac7c113a9bab #2
[ 6.265488] Hardware name: Horizon Robotics J6E Evaluation Module Board (DT)
[ 6.266362] Call trace:
[ 6.266694] [] dump_backtrace+0x0/0x538
[ 6.267391] [] show_stack+0x14/0x20
[ 6.268048] [] dump_stack+0xa4/0xc8
[ 6.268703] [] print_address_description+0x1e4/0x250
[ 6.269539] [] kasan_report+0x2cc/0x300
[ 6.270240] [] __asan_load1+0x44/0x50
[ 6.270912] [] __of_match_node+0x70/0xb8
[ 6.271617] [] of_match_node+0x38/0x60
[ 6.272301] [] of_match_device+0x3c/0x50
[ 6.273012] [] platform_match+0x64/0x118
[ 6.273719] [] __driver_attach+0x40/0x140
[ 6.274435] [] bus_for_each_dev+0xcc/0x140
[ 6.275164] [] driver_attach+0x30/0x40
[ 6.275848] [] bus_add_driver+0x220/0x388
[ 6.276566] [] driver_register+0x108/0x170
[ 6.277295] [] __platform_driver_register+0x7c/0x88
[ 6.278122] [] j6_wdt_driver_init+0x34/0x4c
[ 6.278861] [] do_one_initcall+0xe4/0x1b8
[ 6.279581] [] kernel_init_freeable+0x1ac/0x260
[ 6.280363] [] kernel_init+0x10/0x118
[ 6.281036] [] ret_from_fork+0x10/0x18
[ 6.281713]
[ 6.281911] The buggy address belongs to the variable:
[ 6.282570] 0xffffff9008d153a8
[ 6.282974]
[ 6.283173] Memory state around the buggy address:
[ 6.283794] ffffff9008d15280: fa fa fa fa 07 fa fa fa fa fa fa fa 00 00 00 00
[ 6.284715] ffffff9008d15300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 6.285636] >ffffff9008d15380: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00
[ 6.286552] ^
[ 6.287137] ffffff9008d15400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 6.288057] ffffff9008d15480: 00 00 00 fa fa fa fa fa 00 00 fa fa fa fa fa fa
[ 6.288974] ==================================================================
[ 6.289890] Disabling lock debugging due to kernel taint
错误类型global-out-of-bounds,全局变量越界访问,越界读取访问一个字节。
检查Calltrace是在驱动probe匹配device、driver的过程中。
复杂问题可能需要检查trace后面buggy address(并非实际数据地址,而是在shadow 区的映射)信息综合分析,此问题可以看到要访问地址ffffff9008d153a8里数据为0xFA,0xFA代表全局变量的redzone(越界检测)。
检查逻辑__of_match_node过程是循环遍历of_match_table中所有的项,直到表项中成员为空退出循环。
const struct of_device_id *__of_match_node(const struct of_device_id *matches,
const struct device_node *node)
{
const struct of_device_id *best_match = NULL;
int score, best_score = 0;
const struct device_node *node)
{
const struct of_device_id *best_match = NULL;
int score, best_score = 0;
if (!matches)
return NULL;
return NULL;
for (; matches->name[0] |matches->type[0] |matches->compatible[0]; matches++) {
score = __of_device_is_compatible(node, matches->compatible,
matches->type, matches->name);
if (score > best_score) {
best_match = matches;
best_score = score;
}
}
score = __of_device_is_compatible(node, matches->compatible,
matches->type, matches->name);
if (score > best_score) {
best_match = matches;
best_score = score;
}
}
return best_match;
}
根据代码可知,越界原因是of_match_table变量尾部没有填充0。
}
根据代码可知,越界原因是of_match_table变量尾部没有填充0。
#ifdef CONFIG_OF
static const struct of_device_id j6_wdt_of_match[] = {
static const struct of_device_id j6_wdt_of_match[] = {
{ .compatible = "snps,j6_wdt", }
/* sentinel */
{ .compatible = "snps,j6_wdt", },
- {/* sentinel /} / PRQA S 1041 /
};
MODULE_DEVICE_TABLE(of, j6_wdt_of_match); / PRQA S 0605 */
#endif
'/%3e%3cpath%20d='M8%200.5C12.1421%200.5%2015.5%203.85786%2015.5%208C15.5%2012.1421%2012.1421%2015.5%208%2015.5C3.85786%2015.5%200.5%2012.1421%200.5%208C0.5%203.85786%203.85786%200.5%208%200.5Z'%20fill='url(%23paint1_linear_0_45845)'%20stroke='white'/%3e%3cpath%20d='M10.0597%204.5332C10.031%204.5332%2010.0036%204.54817%209.98859%204.57313L8.09724%207.79442C8.02613%207.90046%207.84897%208.23731%207.5483%208.7875C7.37863%209.0969%207.25387%209.32771%207.17152%209.48615C7.1341%209.55727%207.0293%209.53855%207.01807%209.45871C6.97191%209.11936%206.89456%208.6066%206.78727%207.91793L6.2483%204.61804C6.24207%204.57812%206.20713%204.54942%206.16721%204.54942H4.28085C4.2297%204.54942%204.18977%204.59683%204.201%204.64798L5.71059%2012.1959C5.71808%2012.2346%205.75176%2012.2621%205.79044%2012.2621H7.46845C7.49715%2012.2621%207.52335%2012.2471%207.53832%2012.2234L12.1869%204.65796C12.2205%204.60307%2012.1806%204.5332%2012.117%204.5332H10.0597Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_0_45845'%20x1='8.99711'%20y1='15.3526'%20x2='47.3575'%20y2='15.3526'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23AF86FF'/%3e%3cstop%20offset='1'%20stop-color='%23774EFF'/%3e%3c/linearGradient%3e%3clinearGradient%20id='paint1_linear_0_45845'%20x1='1.1152'%20y1='15.1368'%20x2='15.3888'%20y2='15.1368'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23AF86FF'/%3e%3cstop%20offset='1'%20stop-color='%23774EFF'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)